Infrastructure Security

Emerging threats to critical infrastructure

Michael Kolatchev, principal consultant at Rossnova Solutions and Lina Kolesnikova, consultant at Rossnova Solutions, investigate potential threats to critical infrastructure.

Critical infrastructures are complex, interconnected systems and operations that are subject to a wide range of hazards and threats. Disruptions to critical infrastructure can affect or even jeopardise delivery of essential services. Threats, when realised, may lead to severe social effects, negative economic consequences, and human casualties. The risk to critical infrastructure is increasing as new threats emerge.

Threat is more vaguely defined compared to a hazard, and that makes it more suitable for categorisation and analysis. Without attempting a scientific definition here, one can think of a threat as a danger. There are general threats (amount of danger) and specific threats.

Categorisation of threats

To permit a generalised and consistent analysis of critical infrastructure, it is important to build a generalised catalogue of threats, which can then be uniformly used. Using the catalogue permits comprehensible analysis.

Attempts at creating catalogues often occur within specific industries, and rarely span beyond one or two industries. These attempts often fall short of ambition to go beyond one restrictively defined scope. Among the more advanced, while restricted, one may notice the IT domain, and more broadly, Information Security, which has, among others, catalogues of threats like ISO 27001 or NIST MTC, specific threats (due to vulnerabilities) like CVE as well as catalogues of controls aiming to protect against threats and risks like ISO standard and NIST 800-53. When going about categorisation of threats across various CIs, we should stay at high level, summarising threats into broad categories.

Below are some of the more prominent categories, which now demand higher attention.

Threat categories

Geopolitics

This topic plays a particuarly crucial role. Tensions between countries and/or regions, strategic competitions, state rivalries - all these might challenge critical infrastructure. Threats are related to both supply and demand dependences in fossil fuels, particularly raw or processed materials, food, workforce, technologies, data, etc.

Meanwhile, in the interconnected world, critical infrastructures are not passive sites to be used in the service anymore but can themselves be used to project someone’s power if getting blocked or challenged in some ways. The term infrastructural geopolitics came into life in 2020.

Technological developments in recent decades have brought forward something that did not really exist before - the geopolitics of technology. It is all about the role of Big Tech companies in the modern world, their technological superiority and control over products, and more importantly about their knowledge, expertise and very ability to produce and maintain such products (let alone capability to further develop them). Many technological products crossed borders and their owners (mainly, private businesses) are now setting rules.

This brings multiple types of new threats. Associated commercial threats are being gradually addressed, though slowly, by antitrust (anti-monopoly) laws of different countries. However, private control of international technology services and platforms, means private individuals in boards of these businesses make decisions. International payment industry with SWIFT, Visa and Mastercard, and a few key payment backbones, can be an example, where arbitrary decisions apply. Top international social networks represent another obvious example, where so-called rules and policies are often vague and are applied arbitrarily.

As well as arbitrarily applying “private” decisions and arbitrary rules, such businesses might also be forced by their national governments to do things which become realised threats to other countries. Growing understanding of this situation, e.g. US control of key payment industries, leads to growing discussions on technological and digital sovereignty. In payments, more countries are now looking at setting payment chains in such way that their intra-national markets are less impacted by eventual foreign decisions. It is possible that we will see a return of “national” and, possibly, arrival of new “regional” or “group” infrastructures, or, at least, the arrival of less-dependent alternatives more equally accommodating the needs of their different stakeholders.

Electronics, another example, depends on chips. The most powerful modern chips are expensive to design and to produce with quality. This requires years and decades of expertise which is scarce. Very few producers in the world hold leading positions. Among them are ARM (UK) in design and ASML (The Netherlands) in production of advanced manufacturing equipment. ASML is particularly important as it seems to be holding the hand on production of the most advanced EUV (extreme ultraviolet lithography) manufacturing equipment. Other important players are from Japan, South Korea, Taiwan and China. The latter is an example where the threat of geopolitics of technology is being realised – i.e. China is denied access to the latest technology and, it seems, decided to invest massively in their own technology. Geopolitics clearly shaped the set objectives to “re-shore” more components of chip production supply chains – both in the US (CHIPS for America and FABS Acts bring previously missing subsidies, due to threat assessment) and in China (due to sanctions). One thing is clear – geopolitics of technologies is now one of the major considerations.

Privately made decisions by technology-holders, and geopolitically funded supply chain changes, are big threats. Transnational deployment of technologies highlights another group of threats; in the “ownership” and “applicable governance” area as well. Submarine cables are part of critical infrastructure and depend a lot on geopolitics. Even though each cable has its owner, most critical inter-continental cables themselves lay on the ocean’s floor, the “no man’s land”. Technically, they are open to anyone’s physical access, even though, very few countries in the world currently have the capability to reach them. Given the growing criticality of the internet and capabilities built upon it, and telecommunication in general, such cables give rise to important threats spanning beyond its immediate critical infrastructure.

There are obvious and non-obvious dependencies in supply chains (in both, “physical” and “digital”). Covid has shown some of them, especially, in transportation and healthcare. All of a sudden, previously healthy supplies of basic healthcare materials (masks, etc.) got strongly disturbed. So much of the material was manufactured abroad (e.g. in China) that world transportation problems had an immediate negative effect, sometimes leading to bitter rivalries for supplies even between otherwise friendly states. Japan’s decision to dump radioactive water into the Pacific Ocean is a more recent example. Fishing and sea product delivery (in the East), almost overnight, got disturbed as some countries banned or introduced stricter controls on Japanese supplies.

Outsourcing is another dependency which has grown a lot in past decades. Outsourcing is an approach used in many industries. Foreign companies delivering outsourced services are subject to their own rules and national regulations (and, of course, geopolitics). If significant changes should happen there within short periods of time, companies within critical infrastructure might become lacking in some of their critical capabilities. As a result, regular “third party security” considerations might need to be expanded.

Natural hazards

Natural hazards (earthquakes, flooding, fires, space weather…) and climate change are expected to heavily affect infrastructure through heatwaves, floods and droughts. According to the EU Joint Research Center, annual damage to Europe’s critical infrastructure could increase ten-fold by the end of the century under business-as-usual scenarios due to climate change alone, from the current EUR 3.4 billion to EUR 34 billion. The transport and energy sectors are expected to suffer the highest losses to climate-induced disruption.

Ownership and control

Change of control and ownership elements. Most critical infrastrucutres are in private ownership and/or part of big entities. They could have complex structures, affiliation, HQs in other countries. More and more states and critical infrastructure increasingly depend on infrastructure and assets that are partially or completely located outside their jurisdiction and over which they have little or no control. For example, financial institutions often use outsourcing of data processing services and customer services to companies abroad. Those companies may experience change of control, and new owners might event be from yet another country, with another set of policies and geopolitical objectives. How could one continue to ensure threat control? Privatisation and nationalisation add to it.

One may rely on certain existent infrastructures but what would happen, and would infrastructures remain reliable if certain state-owned infrastructures become privately owned, where owners might decide differently due to their commercial or personal interests, or may impose their own rules? The same comes with nationalisation, where currently “open-to-all” capabilities might become unavailable to some players outside of national borders due to local political or geopolitical decisions. Accessibility of services and systems will see new threats too, in particular, new threat scenarios.

Forced delivery failure by globalised infrastructures, brings forward fragmentation. In turn, this may lead to incompatibility, beyond purely technical terms. Rules associated with accessibility and the use of such services and systems might become contradictory, for example, rules associated with certain services versus national regulations. Industries dependent on such services and systems need to re-visit their threat scenarios. If the fragmentation trend is not reversed, and, there are no signs that it can be reversed at this stage, related existing and new threats will grow in importance, due to the spreading lack of interoperability and further path to a failure of standardisation. Fewer global standards could be then reached, again fuelling fragmentation.

Unpredictable events

Black Swans, unforeseen events of massive scale which are hard to predict. By definition, such events can be geopolitical, economic or something else by nature. It is not necessarily a totally new category of threats, as such. But, at least, re-assessment of threats and re-visiting assumptions is a critical task to carry out. We all witness “unthinkable” things becoming perfectly real. Previously respectful and reliable partners might become totally unreliable or unwanted within hours or days. Threats associated with manmade catastrophes are there too. In the past, this would be primarily linked to bugs and faults in systems.

Nowadays, new threats need to be considered due to overreliance on automation, proliferation of the AI-powered solutions and approaches, growing issues and maintenance costs.

For example, AI is a hot topic. Imagine, AI might be considered as an “algorithm” defining how a system can build and continuously modify its decision algorithms. This might mean that no one would know the decision algorithm of an AI-powered system at any future moment in time. If so, what will you test your system against? Consider a shift from any deterministic logic to measuring acceptability of outcomes and input-fuzzing; a “what” without “how”.

Organised crime

The risk of criminal activities to critical infrastructure used to assume threats come from outside. Nowadays, some critical infrastructures (ports and airports, for example) ARE the places of crime with high infiltration by organised crime groups.

Ports have become one of the most valuable parts of complicated criminal schemes with billions at stake. The largest ports like Antwerp, Rotterdam, Hamburg or La Havre have become the El Dorado for drugs traffickers and contrabandists and, consequently, contribute to the skyrocketing increase of drugs consumption, drugs-related crimes and urban violence in Europe. Activism Political and social activism with potential sabotage of activities by trade unions, eco or anti-capitalist movements or others can be both physical and cyber in nature and cause significant service disruptions.

Changes of human behaviour, autochthonous and allochthonous - this might be changing working attitudes, especially, in the forthcoming generations, with such things as a no night-shifts attitude, home- and tele-working, or cultural attitudes. Apart from the obvious effects, there might be some less obvious.

Skills

Loss of expertise, skills. Long-term failures in school curriculums, and in general, changing societal attitudes, has led to a decrease of graduates in particular domains. And, often, these are critical domains on which critical infrastructures depend.

For example, nuclear energy and some other critical infrastructures with lack of fresh “national” skills and expertise, which might lead to either decline in such industries, or necessity to open such critical infrastructures to external foreign workforce. Without even mentioning “old and evolving” threats such as terrorist and cyber-attacks, the unlawful use of drones, hybrid threats and so on, we are witnessing a growing number of emerging threats. With changes and conflicting agendas at many levels, different international and national decisions, the unthinkable becomes real.

Fragmentation, potential failures in interoperability and standardisation, due to global lack of trust; human behaviour, who needs “the job” the most, ultimately, – a company or a worker? One can go on and on...